Understanding the Shadow Hash

So there are a LOT of posts about people trying to figure out these hashes so that they can be better at cracking the password rather than just leaving it to fate having a program do ALL of the work. So I have a SMALL amount of input:

$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7 :::

This is a hash from the /etc/shadow file on one (not telling which one) of the ‘Vulnerable By Design’ systems.

The XROmcfDX is the Salt
“salt” stands for the up to 16 characters following “$id$” in the salt. The
encrypted part of the password string is the actual computed password. The
size of this string is fixed:

MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters

The last part tF93GqnLHOJeGRHpaNyIs0 is the acutual password encrypted by the algorythm in the ‘id’ section.

So the shadow file format goes like this $id$salt$encrypted
everything is separated by the $.

In order to crack the password you need to:
look at the type of hash it is ($1$ =MD5)
Extract the salt and the encrypted password (XROmcfDX$tF93GqnLHOJeGRHpaNyIs0) notice the salt and encrypted password are separated by the $

The extra stuff on the end is just information about the account…sometimes it can be useful if you’re creative.

:14513:0:99999:7:::
It starts with the : and is a series of 6 different fields of information.
the first field :14513: means “last changed”: Days since Jan 1, 1970 that password was last changed.

The :0: is Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password

The :99999: is Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)

The :7: is Warn: The number of days before password is to expire that user is warned that his/her password must be changed

The Last two fields are NORMALLY (in my experience) just two :: but just incase you come across one that is filled in, here is what it means:

:: Inactive : The number of days after password expires that account is disabled

:: Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used